Cyber Insurance is something I believe many will miss out on when they first set their digital footprint. I might not be that important last time, but the story is different for now.
Every single day, we can see stories of cyber-attack happening. all of these attacks highlight to us that it is relatively easy to get hacked nowadays, and those reported are big cases, what about small cases that didn’t make it ways to the news?
Consider this single reason, it seems like an organization needs to buy cyber insurance. And how to do that? Well before I go any further, let’s make sure everyone has a clear understanding of what cyber insurance.
Definition of cyber insurance
The definition provided by Wikipedia on cyber insurance is “an insurance product uses to protect businesses and individual users from internet-based risks, and more generally from risks relating to information technology infrastructure and activities.” Long definition. So, to put it simpler, it’s an insurance policy that protects you from any damage caused by cyber-attack.
Why do we need it?
We don’t need it as much as we need it now, I am sure. Last time, the internet was something hardly one can get, so there were fewer cases on cyber-attack and those who have access to the internet are generally more alert on cybersecurity. However, as the number of people on the internet increase (3.2 Billion as of 2015), and effort is not enough in emphasizing the importance of cybersecurity, the need for cyber insurance has become an essential, especially for corporate.
What do cyber insurance cover?
Like every insurance policy, every insurance company will cover different things. However, there are still some based items that are covered by every insurance company, i.e., Data breach liability, regulatory penalty and investigations expenses, delay cost to the business, data lost cost. Of course, there are other things that different insurance company insured differently.
How is the underwriting process for cyber insurance?
Based on what I have research, it appears that cyber insurance underwriting is still a very challenging task for the insurance company. This is because unlike property insurance or life insurance, there is no structural measurement when it comes to cybersecurity. Or to put it this way, there is literally no way one can be totally safe in the cyber world. Therefore, the different insurance company will have different underwriting process. Take Chubb for example, they adapt and modified the COPE model to make it more relevant when it comes to cybersecurity. COPE in cyber insurance stands for Component, Organization, protection, and Exposures.
This is a very objective measurement where the numbers of endpoints and network connections, software versions and data center locations are being measured.
This is also an objective measurement where the policyholder’s industry, quality of IT and security-related policies, use of industry standards and company cybersecurity awareness culture are being measured.
This is a subjective measurement carry out by experts to measure data retention policies, firewalls, monitoring, and incident response/response readiness policies.
Same as protection, subjective measurement carries out by experts to identify the Political or criminal motivation, types of outsourcing, and type/amount of sensitive information.
Like every other insurance, we need to be aware and alert even if we are insured by insurance because although no doubt we are covered by insurance if something should have happened but still, keep ourselves and our company cybersecurity aware is still the key to staying safe. After all, we don’t really want to use our insurance even if we buy it, right?